| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Oct 2011 12:26:42 +0200 From: Ferenc Kovacs <tyra3l@...il.com> To: secn3t@...il.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Wipe off, rub out, reappear... "Is obvious, this is a very well made executable :)" On Tue, Oct 11, 2011 at 12:18 PM, xD 0x41 <secn3t@...il.com> wrote: > I dont care about *theyre* setup, and i said that, I only stated what CAN be > done, in capable hands.. simple. > You are reading deep into something, you seem to understand fkall about, > seriously. > > > On 11 October 2011 21:16, Christian Sciberras <uuf6429@...il.com> wrote: >> >> I already beat you up to it - you know nothing about their setup. >> You don't know if their infection is the result of a botnet. >> I don't deny you know anything about botnets, I'm just saying from the >> looks of it you jumped to a load of conclusion without any proof whatsoever. >> >> >> >> On Tue, Oct 11, 2011 at 12:11 PM, xD 0x41 <secn3t@...il.com> wrote: >>> >>> screwit, im a bite, i know my shit here.. >>> If i was not so smart, then i guess i would not have a modified ircd >>> wich is similar... wow i know.. just seems you dont know crap about c&c >>> botnets , thats fo sure. I think i outlined a *good* setup, as i have seen >>> it, or would not bothered to state the mods made.. is that simple. wwether >>> it is hard t code or not, is not my business, nor i care for.. I just know, >>> how they run, and, dont try bs me about what i do and dont know, because on >>> this topic son, i have plenty of experience, and could easily match this >>> with an AV spokesperson, and would not hesitate to, but what gains it to me >>> ? None. >>> I am here for those who give a crap, you sir, no nothing, atall, about >>> even the controlling side of a good botnet wich, spreads fast. >>> Most people, simply do not want you on them, then the better ones, simply >>> hide as users on irc anyhow ;) >>> Then again, i wouldnt know shit ey. >>> gnite :-) >>> have fun trying to pick apart anything with me in this area, i will enjoy >>> tearing your anus out, word by word if i have to. >>> xd >>> >>> >>> On 11 October 2011 20:29, Christian Sciberras <uuf6429@...il.com> wrote: >>>> >>>> If you ask me, you sound like bragging on something you wrote. >>>> Either that, or you're clueless to what you are saying. >>>> Just because my younger brother won't understand 5 lines of code I wrote >>>> doesn't make my 5 liner smart... >>>> Applying the analogy here, just because they're possibly clueless to how >>>> OS internals work doesn't mean the virus is doing anything particularly >>>> smart. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Oct 11, 2011 at 1:55 AM, xD 0x41 <secn3t@...il.com> wrote: >>>>> >>>>> Is obvious, this is a very well made executable :) >>>>> Or, set up well to spread and then hide, and doing so with even its >>>>> phone home, wich is normal nowdays, for example consider an ircd, it uses >>>>> PING/PONG, what if you change the rfc, and use ascii characters,then do this >>>>> to the bot, remove USER mode completely only allow it for set modes/opers, >>>>> and then try take the thing down, if it is connected thru about 40 different >>>>> ips and does not rely on dynami dns... >>>>> it is not impossible, it is happening now, and, it is also visible, >>>>> however, these c7c centres are so advanced, Ids are just not getting enough >>>>> info...you cannot do a thing on the properly modified control centres, and, >>>>> i have seen that code, it is extremely modified version of ircd... it cannot >>>>> be used by a NOn operator, and uses a totally different rfc to phopne home >>>>> etc, thus making conventional methods used atm, useless... as they will >>>>> loook for the strings that they know, and always ids will perform some >>>>> string of commands, and, then slowly the operator sees the servers, and one >>>>> by one he blocks YOU out of his network. >>>>> This is a dog eat dog world, bot masters can be exceptionallt ingenious >>>>> when it comes to these things, and masking an exe nowdays, is not as simple >>>>> as some peoples SFX rar kits :) >>>>> So even kits nowdays, can be way more advanced than 2008/2009 even... >>>>> there has been a burst of tech, so there is also a burst in virus >>>>> numbers... but, smart c&c centres, you wont take down so easily, and they >>>>> will move before you can even decrypt theyre settings... wich is exactly why >>>>> stuxnet is non stoppable.. unless the owner shuuts it down, it wont be >>>>> killed.. >>>>> xd >>>>> >>>>> >>>>> >>>>> On 11 October 2011 10:45, Bob Dobbs <bobd10937@...il.com> wrote: >>>>>> >>>>>> On Mon, Oct 10, 2011 at 4:31 PM, Michael Schmidt >>>>>> <mschmidt@...gstore.com> wrote: >>>>>>> >>>>>>> If its bot net code and it is behind an air barrier then it will >>>>>>> never phone home. They >>>>>> >>>>>> It already broke the "air wall" to get in. It can certainly do so to >>>>>> get out. >>>>>> >>>>>> Bob >>>>> >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Ferenc Kovács @Tyr43l - http://tyrael.hu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists